Together, the vCenter Server, NSX Manager, and VMware Integrated OpenStack form the secure multitenant platform of the vCloud NFV design. VMware Integrated OpenStack provides the abstraction layers for secure multitenancy in a three-pod design the same way it does for a two-pod design. vCenter Server provides the infrastructure for fine grained allocation and partitioning of compute and storage resources, while NSX for vSphere creates the network virtualization layer. The network virtualization layer is an abstraction between physical and virtual networks. NSX for vSphere provides logical switches, firewalls, load balancers, and VPNs.

VMware Integrated OpenStack provides an additional abstraction layer, dividing pooled resources among tenants creating a secure tenant virtual datacenter (vDC). For CSPs to improve their capacity planning for resource allocation to the tenant, resource level tenant isolation and guaranteed resource availability is provided for each tenant, while simultaneously securing tenants within the network. This section describes how the VMware Integrated OpenStack abstraction layers, Projects and Tenant vDC, are leveraged to provide a secure multitenant environment to deploy VNFs. .

Figure 1. vCloud NFV OpenStack Edition Multitenant Networking in Three-Pod Design

VMware vCloud NFV OpenStack Edition Multitenant Networking in Thre-Pod Design

Physical compute, storage, and network resources are first mapped to the NFVI virtual resources - clusters for compute resources, data stores for storage resources, and virtual switches for network resources. The virtual resources are then managed by VMware Integrated OpenStack for consumption by tenants.

The CSP allocates and reserves resources for tenants using Tenant vDCs. Every Tenant vDC is associated with a resource pool within the Compute cluster. The resource settings of the resource pool are managed by the CSP from VMware Integrated OpenStack. This ensures that every Tenant vDC is allocated the resources to which it is entitled, while not exceeding the resource limits.

Tenant edge devices that are deployed from VMware Integrated OpenStack are placed in the dedicated Edge cluster in a three-pod design, and in the compute cluster in a two-pod design. VNFs are deployed in a separate and dedicated resource pool nested within the compute cluster. This separation of edge devices and VNF workload resources prevents one from starving the other.

Separation of network access between NFVI tenants is important for supporting secure multitenancy on a horizontally shared platform. VMware Integrated OpenStack integrates with vCenter Server and NSX for vSphere to manage the creation and consumption of isolated Layer 2 networks. CSPs must ensure the necessary connectivity to external networks are in place for consumption by tenants. Networks that are internal to an NFVI tenant, or to a VNF instance, can be created using the VMware Integrated OpenStack user interface or API. As described in Virtual Networking Design Using VMware NSX Manager, ESG firewall rules and additional services can be configured by the tenant from within the Tenant vDC.